Friday, 16 May 2014

I've been writing in this blog for about 3 years now and it's served me well, but I've decided to move to an Azure-hosted Ghost site which looks clean and is a lot easier to work with. At this point in time there are 63 articles with > 88,000 views. I'm not deleting this blog and not porting the articles over either.New blog is here (I ported the latest article over as a test):http://webbercross.azurewebsites.net

Sunday, 11 May 2014

In my last article we talked about
implementing AD single sign-on authentication to an MVC5 website, now we're going to look at adding AD group authorization to a controller with a customised AuthorizeAttribute implementation. Azure AD doesn’t currently
allow addition or custom roles, there are a number of built-in administrator
roles; however we have full control over groups so we can use these for
authorization.

Unfortunately
authorization isn’t as simple as just using the Authorize attribute with a role
as you would with ASP.Net roles, we need to query the Azure AD Graph API to
check if a user is a member of the
group. We’ll add a Sales group to the AzureBakery AD we created in the last article and then implement a
custom AuthorizeAttribute to query the Azure AD Graph API using the Azure AD
Graph client.

This was written for an MVC controller but can be used for a Web API controller and could used with Azure Mobile Services too.

We’re going to use the
Azure AD PowerShell module to modify the AD Application service principal later
in the procedure, so install this first.

Creating an AD Group

1.First go
the AD GROUP workspace in the portal for our Active Directory and click ADD
GROUP on the toolbar:

2.Enter a
name and description of the group and click the tick button to create it:

3.Next click
on the newly created group and then ADD MEMBERS on the toolbar:

4.In the Add
members dialog, click on the AD user we created to add it to the SELECTED list
and click the tick button to confirm:

5.Now go to
the GROUP CONFIGURE tab and make a note of the OBJECT ID, we’ll need this
later.

6.Next we
need to create a key for our application to allow us to access the graph API,
so create a new key in the APPLICATION workspace CONFIGURE tab:

7.Make a
note of this and the CLIENT ID.

8.We need to
create keys for the local and Azure AD applications.

Modifying the Application Service Principal

We need to modify
our application’s Service Principal so that it has permission to access the
Graph API, in theory this should be done by adjusting the permissions to other
applications section of the APPLICATION CONFIGURATION tab but at the time of
writing this it doesn’t work. Please try it yourself and if it doesn’t work for
you (you will get an unauthorized exception in the AD Graph API Client) use the
following procedure to manually add the service principal to an administrator
role:

1.Launch the
Azure AD PowerShell Console (from the desktop shortcut if you chose to use it).

2.First we
need to obtain our AD credentials, so type the following command and enter your
AD user credentials when prompted:

$msolcred = get-credential

This stores the credentials in a variable called $msolcred.

3.Next we
need to connect the console by typing the following command:

connect-msolservice -credential $msolcred

For a quick test, we can use the get-msoluser command to list AD users.
We should see something like this:

PS C:\WINDOWS\system32> get-msoluser

UserPrincipalName
DisplayName
isLicensed

-----------------
-----------
----------

gwebbercross_outlook.co... Geoff Webber-Cross False

geoff@azurebakery.onmic... Geoff False

4.Now we
need to get the service principal for our application using the following
command (get the CLIENT ID from CONFIGURE tab of the AD APPLICATION workspace
for the application associated with the website):

Implementing AzureAdAuthorizeAttribute

We’re going to
create a class called AzureAdAuthorizeAttribute which can be added to a
controller with either a group name or group ObjectId specified. The ObjectId
implementation is more efficient as it doesn’t require an additional query to
look up the id from the name.

We need to install the Microsoft.Azure.ActiveDirectory.GraphClient and Microsoft.IdentityModel.Clients.ActiveDirectory Microsoft.IdentityModel.Clients.ActiveDirectory NuGet packages by entering the following commands:

Install-Package Microsoft.Azure.ActiveDirectory.GraphClient

Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory

This is the complete
code for the attribute, the comments in the code explain what’s going on:

This article is an extract from a new book I'm writing titled "Learning Microsoft Azure" for Packt Publishing. This website is an admin website for the Sales Business domain of a fictional industrial bakery called Azure Bakery.

I this article, we’re going to create
an Azure Active Directory for the company, then add a user and configure a new MVC5 Administrator website to implement Azure AD Single Sign-On.

Configuring Active Directory

First we need to
create an Active Directory and an initial user account to sign in with

2.Fill out
the NAME of the directory, it’s DOMAIN NAME and the COUNTRY OR REGION:

3.Now from
the Active Directory USERS workspace, click ADD USER from the bottom toolbar to
add a user:

4.Fill in
the USER NAME. I’ve left TYPE OF USER as New user in your organization,
although you can add an existing Microsoft account or Windows Azure AD
directory:

5. Next, fill in the user details, select Global
Administrator for the ROLE and click the
next arrow:

6.Click
create on the next tab to get the temporary password for the user. Make a note
of it and also enter an email to send it to, then click the tick button to
finish:

Configuring an MVC Website for AD Single Sign-On

Next we’ll create a
new MVC website and use the wizard to help us setup AD single sign-on. In
Visual Studio 2012 this was quite tricky to do with a fair amount of manual
configuration in the portal and the website’s web.config, but it’s quite
straight forward in Visual Studio 2013.

2.Select
Organizational Accounts and enter the AD domain name for the Active Directory
we just created and click OK:

3.Sign in
using the new Active Directory user, then click OK in the previous dialog (be
careful to change the user to your Azure portal account when prompted to sign
into Azure).

4.Enter the
Site name, choose Subscription, Region, Database Server (select No database
because we’re using the existing one):

5.Click OK,
this will now provision the website, setup an AD application and create our MVC
project for us.

6.We can
test this locally by simply running the website from Visual Studio. You will
get a security warning due to the implementation of a temporary SSL certificate
on your local web server like this (in IE):

7.Accept the
warning (Continue to this website (not recommended) and you will then see the
AD Login page:

8.Login with
your new user and the website should load.

Publishing the Website with AD Single Sign-on

When Visual Studio
provisioned our website for us it created an application entry in the AD
APPLICATIONS tab for our local debug configuration:

Rather than changing
the APPLICATION CONFIGURATION for our production website, when we publish the
application, there is an option to Enable Organizational Authentication which
will add a new application entry in AD and rewrite the federation section of
the web.config for us on publish:

In the Publish Web
dialog, check Enable Organizational Authentication and enter the AD Domain name.
You will need to include a connection string for your database as the website
will update the database with entries in new IssuingAuthorityKeys and Tenants
tables:

Once published, we
will see a new entry in the AD APPLICATIONS workspace:

This is great as we
don’t need to reconfigure the applications between running locally and
publishing to Azure.